1 files changed, 97 insertions, 10 deletions

diff --git a/security/nss/gtests/ssl_gtest/tls_agent.cc b/security/nss/gtests/ssl_gtest/tls_agent.cc
index fb66196b5..88640481e 100644
--- a/security/nss/gtests/ssl_gtest/tls_agent.cc
+++ b/security/nss/gtests/ssl_gtest/tls_agent.cc
@@ -47,6 +47,8 @@ const std::string TlsAgent::kServerEcdsa521 = "ecdsa521";
 const std::string TlsAgent::kServerEcdhRsa = "ecdh_rsa";
 const std::string TlsAgent::kServerEcdhEcdsa = "ecdh_ecdsa";
 const std::string TlsAgent::kServerDsa = "dsa";
+const std::string TlsAgent::kDelegatorEcdsa256 = "delegator_ecdsa256";
+const std::string TlsAgent::kDelegatorRsae2048 = "delegator_rsae2048";
 
 static const uint8_t kCannedTls13ServerHello[] = {
     0x03, 0x03, 0x9c, 0xbc, 0x14, 0x9b, 0x0e, 0x2e, 0xfa, 0x0d, 0xf3,
@@ -127,16 +129,76 @@ void TlsAgent::SetState(State s) {
                                           ScopedCERTCertificate* cert,
                                           ScopedSECKEYPrivateKey* priv) {
   cert->reset(PK11_FindCertFromNickname(name.c_str(), nullptr));
+  EXPECT_NE(nullptr, cert);
+  if (!cert) return false;
   EXPECT_NE(nullptr, cert->get());
   if (!cert->get()) return false;
 
   priv->reset(PK11_FindKeyByAnyCert(cert->get(), nullptr));
+  EXPECT_NE(nullptr, priv);
+  if (!priv) return false;
   EXPECT_NE(nullptr, priv->get());
   if (!priv->get()) return false;
 
   return true;
 }
 
+// Loads a key pair from the certificate identified by |id|.
+/*static*/ bool TlsAgent::LoadKeyPairFromCert(const std::string& name,
+                                              ScopedSECKEYPublicKey* pub,
+                                              ScopedSECKEYPrivateKey* priv) {
+  ScopedCERTCertificate cert;
+  if (!TlsAgent::LoadCertificate(name, &cert, priv)) {
+    return false;
+  }
+
+  pub->reset(SECKEY_ExtractPublicKey(&cert->subjectPublicKeyInfo));
+  if (!pub->get()) {
+    return false;
+  }
+
+  return true;
+}
+
+void TlsAgent::DelegateCredential(const std::string& name,
+                                  const ScopedSECKEYPublicKey& dc_pub,
+                                  SSLSignatureScheme dc_cert_verify_alg,
+                                  PRUint32 dc_valid_for, PRTime now,
+                                  SECItem* dc) {
+  ScopedCERTCertificate cert;
+  ScopedSECKEYPrivateKey cert_priv;
+  EXPECT_TRUE(TlsAgent::LoadCertificate(name, &cert, &cert_priv))
+      << "Could not load delegate certificate: " << name
+      << "; test db corrupt?";
+
+  EXPECT_EQ(SECSuccess,
+            SSL_DelegateCredential(cert.get(), cert_priv.get(), dc_pub.get(),
+                                   dc_cert_verify_alg, dc_valid_for, now, dc));
+}
+
+void TlsAgent::EnableDelegatedCredentials() {
+  ASSERT_TRUE(EnsureTlsSetup());
+  SetOption(SSL_ENABLE_DELEGATED_CREDENTIALS, PR_TRUE);
+}
+
+void TlsAgent::AddDelegatedCredential(const std::string& dc_name,
+                                      SSLSignatureScheme dc_cert_verify_alg,
+                                      PRUint32 dc_valid_for, PRTime now) {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  ScopedSECKEYPublicKey pub;
+  ScopedSECKEYPrivateKey priv;
+  EXPECT_TRUE(TlsAgent::LoadKeyPairFromCert(dc_name, &pub, &priv));
+
+  StackSECItem dc;
+  TlsAgent::DelegateCredential(name_, pub, dc_cert_verify_alg, dc_valid_for,
+                               now, &dc);
+
+  SSLExtraServerCertData extra_data = {ssl_auth_null, nullptr, nullptr,
+                                       nullptr,       &dc,     priv.get()};
+  EXPECT_TRUE(ConfigServerCert(name_, true, &extra_data));
+}
+
 bool TlsAgent::ConfigServerCert(const std::string& id, bool updateKeyBits,
                                 const SSLExtraServerCertData* serverCertData) {
   ScopedCERTCertificate cert;
@@ -224,6 +286,9 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc* modelSocket) {
   EXPECT_EQ(SECSuccess, rv);
   if (rv != SECSuccess) return false;
 
+  // All these tests depend on having this disabled to start with.
+  SetOption(SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_FALSE);
+
   return true;
 }
 
@@ -251,6 +316,10 @@ bool TlsAgent::MaybeSetResumptionToken() {
   return true;
 }
 
+void TlsAgent::SetAntiReplayContext(ScopedSSLAntiReplayContext& ctx) {
+  EXPECT_EQ(SECSuccess, SSL_SetAntiReplayContext(ssl_fd_.get(), ctx.get()));
+}
+
 void TlsAgent::SetupClientAuth() {
   EXPECT_TRUE(EnsureTlsSetup());
   ASSERT_EQ(CLIENT, role_);
@@ -279,7 +348,7 @@ SECStatus TlsAgent::GetClientAuthDataHook(void* self, PRFileDesc* fd,
   ScopedCERTCertificate peerCert(SSL_PeerCertificate(agent->ssl_fd()));
   EXPECT_TRUE(peerCert) << "Client should be able to see the server cert";
 
-  // See bug 1457716
+  // See bug 1573945
   // CheckCertReqAgainstDefaultCAs(caNames);
 
   ScopedCERTCertificate cert;
@@ -640,6 +709,16 @@ void TlsAgent::CheckAlpn(SSLNextProtoState expected_state,
   }
 }
 
+void TlsAgent::CheckEpochs(uint16_t expected_read,
+                           uint16_t expected_write) const {
+  uint16_t read_epoch = 0;
+  uint16_t write_epoch = 0;
+  EXPECT_EQ(SECSuccess,
+            SSL_GetCurrentEpoch(ssl_fd(), &read_epoch, &write_epoch));
+  EXPECT_EQ(expected_read, read_epoch) << role_str() << " read epoch";
+  EXPECT_EQ(expected_write, write_epoch) << role_str() << " write epoch";
+}
+
 void TlsAgent::EnableSrtp() {
   EXPECT_TRUE(EnsureTlsSetup());
   const uint16_t ciphers[] = {SRTP_AES128_CM_HMAC_SHA1_80,
@@ -715,26 +794,26 @@ void TlsAgent::WaitForErrorCode(int32_t expected, uint32_t delay) const {
 }
 
 void TlsAgent::CheckPreliminaryInfo() {
-  SSLPreliminaryChannelInfo info;
+  SSLPreliminaryChannelInfo preinfo;
   EXPECT_EQ(SECSuccess,
-            SSL_GetPreliminaryChannelInfo(ssl_fd(), &info, sizeof(info)));
-  EXPECT_EQ(sizeof(info), info.length);
-  EXPECT_TRUE(info.valuesSet & ssl_preinfo_version);
-  EXPECT_TRUE(info.valuesSet & ssl_preinfo_cipher_suite);
+            SSL_GetPreliminaryChannelInfo(ssl_fd(), &preinfo, sizeof(preinfo)));
+  EXPECT_EQ(sizeof(preinfo), preinfo.length);
+  EXPECT_TRUE(preinfo.valuesSet & ssl_preinfo_version);
+  EXPECT_TRUE(preinfo.valuesSet & ssl_preinfo_cipher_suite);
 
   // A version of 0 is invalid and indicates no expectation.  This value is
   // initialized to 0 so that tests that don't explicitly set an expected
   // version can negotiate a version.
   if (!expected_version_) {
-    expected_version_ = info.protocolVersion;
+    expected_version_ = preinfo.protocolVersion;
   }
-  EXPECT_EQ(expected_version_, info.protocolVersion);
+  EXPECT_EQ(expected_version_, preinfo.protocolVersion);
 
   // As with the version; 0 is the null cipher suite (and also invalid).
   if (!expected_cipher_suite_) {
-    expected_cipher_suite_ = info.cipherSuite;
+    expected_cipher_suite_ = preinfo.cipherSuite;
   }
-  EXPECT_EQ(expected_cipher_suite_, info.cipherSuite);
+  EXPECT_EQ(expected_cipher_suite_, preinfo.cipherSuite);
 }
 
 // Check that all the expected callbacks have been called.
@@ -766,6 +845,13 @@ void TlsAgent::ResetPreliminaryInfo() {
   expected_cipher_suite_ = 0;
 }
 
+void TlsAgent::UpdatePreliminaryChannelInfo() {
+  SECStatus rv = SSL_GetPreliminaryChannelInfo(ssl_fd_.get(), &pre_info_,
+                                               sizeof(pre_info_));
+  EXPECT_EQ(SECSuccess, rv);
+  EXPECT_EQ(sizeof(pre_info_), pre_info_.length);
+}
+
 void TlsAgent::ValidateCipherSpecs() {
   PRInt32 cipherSpecs = SSLInt_CountCipherSpecs(ssl_fd());
   // We use one ciphersuite in each direction.
@@ -828,6 +914,7 @@ void TlsAgent::Connected() {
   // Preliminary values are exposed through callbacks during the handshake.
   // If either expected values were set or the callbacks were called, check
   // that the final values are correct.
+  UpdatePreliminaryChannelInfo();
   EXPECT_EQ(expected_version_, info_.protocolVersion);
   EXPECT_EQ(expected_cipher_suite_, info_.cipherSuite);